Critical Infrastructures: Background, Policy, and Implementation John D. Moteff Specialist in Science and Technology Policy June 10, 2015 Congressional Research Service 7-5700 www.crs.gov RL30153 Critical Infrastructures: Background, Policy, and Implementation Summary The nation’s health, wealth, and security rely on the production and distribution of certain goods and services. The array of physical assets, functions, and systems across which these goods and services move are called critical infrastructures (e.g., electricity, the power plants that generate it, and the electric grid upon which it is distributed). The national security community has been concerned for some time about the vulnerability of critical infrastructure to both physical and cyberattack. In May 1998, President Clinton released Presidential Decision Directive No. 63. The Directive set up groups within the federal government to develop and implement plans that would protect government-operated infrastructures and called for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect all of the nation’s critical infrastructures by the year 2003. While the Directive called for both physical and cyber protection from both man-made and natural events, implementation focused on cyber protection against man-made cyber events (i.e., computer hackers). Following the destruction and disruptions caused by the September 11 terrorist attacks in 2001, the nation directed increased attention toward physical protection of critical infrastructures. Over the intervening years, policy, programs, and legislation related to physical security of critical infrastructure have stabilized to a large extent. However, current legislative activity has refocused on cybersecurity of critical infrastructure. This report discusses in more detail the evolution of a national critical infrastructure policy and the institutional structures established to implement it. The report highlights two primary issues confronting Congress going forward, both in the context of cybersecurity: information sharing and regulation. Congressional Research Service Critical Infrastructures: Background, Policy, and Implementation Contents Introduction ...................................................................................................................................... 1 Federal Critical Infrastructure Protection Policy: In Brief............................................................... 2 The President’s Commission on Critical Infrastructure Protection ................................................. 3 Presidential Decision Directive No. 63 ............................................................................................ 4 Restructuring by the Bush Administration ....................................................................................... 7 Pre-September 11 ...................................................................................................................... 7 Post-September 11 ..................................................................................................................... 8 Executive Orders ................................................................................................................. 8 National Strategy for Homeland Security ......................................................................... 10 HSPD-7 ............................................................................................................................. 10 The Obama Administration ............................................................................................................ 12 Initial Efforts ........................................................................................................................... 12 Cybersecurity Legislation and Executive Orders .................................................................... 13 PPD-21 .................................................................................................................................... 14 Department of Homeland Security ................................................................................................ 15 Initial Establishment ................................................................................................................ 15 Second Stage Review Reorganization ..................................................................................... 16 Post-Katrina Emergency Management Reform Act of 2006 ................................................... 17 Continued Organizational Evolution ....................................................................................... 18 Policy Implementation ................................................................................................................... 18 Government-Sector Coordination............................................................................................ 18 National Critical Infrastructure Plan ........................................................................................ 21 Information Sharing and Analysis Center (ISAC) ................................................................... 23 Identifying Critical Assets, Assessing Vulnerability and Risk, and Prioritizing Protective Measures ............................................................................................................. 26 Cybersecurity Framework ....................................................................................................... 27 Issues and Discussion .................................................................................................................... 27 Information Sharing ................................................................................................................. 28 Regulation................................................................................................................................ 30 Tables Table 1. Lead Agencies per PDD-63................................................................................................ 4 Table 2. Current Lead Agency Assignments .................................................................................. 19 Table 3. NIPP 2013: Guiding Tenets and Call to Action ............................................................... 24 Table A-1. Funding for the Infrastructure Protection and Information Security Program ............. 33 Table A-2. FY2015 Funding for Selected FEMA Grants............................................................... 34 Congressional Research Service Critical Infrastructures: Background, Policy, and Implementation Appendixes Appendix. Funding for Critical Infrastructure ............................................................................... 31 Contacts Author Contact Information........................................................................................................... 35 Congressional Research Service Critical Infrastructures: Background, Policy, and Implementation Introduction Certain socioeconomic activities are vital to the day-to-day functioning and security of the country; for example, transportation of goods and people, communications, banking and finance, and the supply and distribution of electricity and water. Domestic security and our ability to monitor, deter, and respond to hostile acts also depend on some of these activities as well as other more specialized activities like intelligence gathering and command and control of police and military forces. A serious disruption in these activities and capabilities could have a major impact on the country’s well-being.1 These activities and capabilities are supported by an array of physical assets, functions, information, people, and systems, forming what has been called the nation’s critical infrastructures. These infrastructures have grown complex and interconnected, meaning that a disruption in one may lead to disruptions in others.2 Any number of factors can cause disruptions: poor design, operator error, physical destruction due to natural causes, (earthquakes, lightning strikes, etc.) or physical destruction due to intentional human actions (theft, arson, terrorist attack, etc.). Over the years, operators of these infrastructures have taken measures to guard against, and to quickly respond to, many of these threats, primarily to improve reliability and safety. However, the terrorist attacks of September 11 in 2001, and the subsequent anthrax attacks, demonstrated the need to reexamine protections in light of the terrorist threat, as part of an overall critical infrastructure protection policy.3 This report provides an historical background and tracks the evolution of such an overall policy and its implementation. However, specific protections associated with individual infrastructures is beyond the scope of this report. For CRS products related to specific infrastructure protection efforts, the reader is encouraged to visit the CRS Issues Before Congress webpage, click on Homeland Security and Terrorism, then Homeland Security, then Critical Infrastructure and Transportation Security.4 1 As a reminder of how dependent society is on its infrastructure, in May 1998, PanAmSat’s Galaxy IV satellite’s on- board controller malfunctioned, disrupting service to an estimated 80-90% of the nation’s pagers, causing problems for hospitals trying to reach doctors on call, emergency workers, and people trying to use their credit cards at gas pumps, to name but